Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What's the difference between a Key and a KeySpec?

In the Java crypto libraries, there are two different representations of a key - Key and KeySpec. The docs imply there's a difference between the two - a KeySpec is 'transparent' (whatever that means), but has no methods, whereas Key has got a getEncoded method. You're meant to use a KeyFactory to convert between the two (and it indeed has got a getKeySpec method to convert).

However, SecretKeySpec implements both Key and KeySpec! But there is a SecretKeyFactory class as well, that doesn't inherit off KeyFactory.

All this has left me thoroughly confused. What's the different between a Key and a KeySpec, and how does SecretKeySpec and SecretKeyFactory come into it?

like image 686
thecoop Avatar asked Mar 01 '16 17:03

thecoop


People also ask

What is a KeySpec?

Interface KeySpec A (transparent) specification of the key material that constitutes a cryptographic key. If the key is stored on a hardware device, its specification may contain information that helps identify the key on the device.

What is Secretkeyfactory?

This class represents a factory for secret keys. Key factories are used to convert keys (opaque cryptographic keys of type java. security. Key ) into key specifications (transparent representations of the underlying key material in a suitable format), and vice versa.


2 Answers

Transparent here means that all classes/interfaces implementing/extending the KeySpec interface are supposed to reveal metadata about the key, in a provider independent way. This metadata is never used actually in common uses of the key(encryption etc.), but only used if there is need to look into the mathematical attributes of the key. Knowledge of such provider independent data about the key can be useful for example if you want to generate the key from/to a byte stream, hook the key if it resides on an HSM, or even find out if a key is weak like:

DESKeySpec.isWeak(byte[] key, int offset)

Whatever metadata you want to expose about your key is upto you. KeySpec just acts as a marker interface (marker interface design pattern).

As opposed to such possible introspection with the KeySpec, the keys generated using SecretKeyFactory are "opaque", in the sense that you cannot get full mathematical(modulus, exponent, encoding, etc.) and other(if provided like DESKeySpec above) metadata about the key.

SecretKeySpec on the other hand is JCE's out of the box solution for generating keys from byte streams, and hence it implements both Key and KeySpec- to generate the key using KeySpec provided, and make the key available using Key.getEncoded().

like image 165
Umar Ashraf Avatar answered Sep 28 '22 00:09

Umar Ashraf


Key objects and key specifications (KeySpecs) are two different representations of key data.

Ciphers use Key objects to initialize their encryption algorithms, but keys may need to be converted into a more portable format for transmission or storage.

A transparent representation of keys means that you can access each key material value individually, through one of the get methods defined in the corresponding specification class.

For example, DSAPrivateKeySpec defines getX, getP, getQ, and getG methods, to access the private key x, and the DSA algorithm parameters used to calculate the key(the prime p, the sub-prime q, and the base g). 

If the key is stored on a hardware device, its specification may contain information that helps identify the key on the device.This representation is contrasted with an opaque representation, as defined by the Key interface, in which you have no direct access to the key material fields. In other words, an "opaque" representation gives you limited access to the key-just the three methods defined by the Key interface: getAlgorithm, getFormat, and getEncoded.

A key may be specified in an algorithm-specific way, or in an algorithm-independent encoding format (such as ASN.1).

For example, a DSA private key may be specified by its components x, p, q, and g (eg: DSAPrivateKeySpec), or it may be specified using its DER encoding (eg: PKCS8EncodedKeySpec).

The KeyFactory and SecretKeyFactory classes can be used to convert between opaque and transparent key representations that is, between Keys and KeySpecs.

Reference and more details available at: https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#KeySpecs

like image 42
Aajan Avatar answered Sep 28 '22 00:09

Aajan